The Hacker News — Cyber Security, Hacking, Technology News

Two separate proofs-of-concept (PoC) exploit code for Memcached amplification attack have been released online that could allow even script-kiddies to launch massive DDoS attacks using UDP reflections easily.

The first DDoS tool is written in C programming language and works with a pre-compiled list of vulnerable Memcached servers.

Bonus—its description already includes a list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet.

Whereas, the second Memcached DDoS attack tool is written in Python that uses Shodan search engine API to obtain a fresh list of vulnerable Memcached servers and then sends spoofed source UDP packets to each server.

Last week we saw two record-breaking DDoS attacks—1.35 Tbps hit Github and 1.7 Tbps attack against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.

For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.

Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.

A few bytes of the request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.

Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.

Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.

Following last week's DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.

Reflection/amplification attacks are not new. Attackers have previously used this DDoS attack technique to exploit flaws in DNS, NTP, SNMP, SSDP, Chargen and other protocols in order to maximize the scale of their cyber attacks.

To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.

Now you can download and install Kali Linux directly from the Microsoft App Store on Windows 10 just like any other application.

I know it sounds crazy, but it's true!

Kali Linux, a very popular, free, and open-source Linux-based operating system widely used for hacking and penetration testing, is now natively available on Windows 10, without requiring dual boot or virtualization.

Kali Linux is the latest Linux distribution to be made available on the Windows App Store for one-click installation, joining the list of other popular distribution such as Ubuntu, OpenSUSE and SUSE Enterprise Linux.

In Windows 10, Microsoft has provided a feature called "Windows Subsystem for Linux" (WSL) that allows users to run Linux applications directly on Windows.

"For the past few weeks, we've been working with the Microsoft WSL team to get Kali Linux introduced into the Microsoft App Store as an official WSL distribution, and today we're happy to announce the availability of the 'Kali Linux' Windows application," Kali Linux said while announcing the news.

How to Download and Run Kali Linux on Windows 10

If this is your first time using Windows Subsystem for Linux (WSL), you need to enable this optional Windows feature before getting the Kali Linux app.

Follow these simple steps to enable WSL:

Navigate to Control Panel and go to "Apps and features"

Select "Programs and Features" from the right panel

Click the "Turn Windows features on or off" from the left menu

Select the "Windows Subsystem for Linux" and save it

Reboot your system

You can even do the same by opening PowerShell as Administrator and running the following command and restart your computer.

Now search for Kali Linux on Windows Store, download it with just a single click. Once you launch the application, it automatically completes Kali installation and will open the console window.

That's it! You can also check Kali Linux documentation for more information.

If you are interested in enabling Kali's desktop environment, here's a video demonstration showing how you can install xfce4 and xrdp to connect Kali Linux over Remote Desktop.

This announcement is especially exciting for security professionals and penetration testers who have limited toolsets due to enterprise compliance standards.

Kali Linux on Windows does not come with any hacking or penetration testing tools pre-installed, but you can easily install them later.

It should be noted that your Antivirus application or Windows defender can trigger false-positive warning for hacking tools and exploits, but you need not worry about it.

Microsoft is following its commitment to the open source community. In 2013, the company launched Visual Studio, and a year later, it open-sourced .NET. In 2015, Microsoft open-sourced the Visual Studio Code Editor, as well.

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.

Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.

In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).

"Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US." Group-IB says in its report.

Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations

Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.

"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says in its report.

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.

"Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server."

"The group uses 'fileless' malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code 'on the fly' – during the attack,"

"To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials."

Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.

The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data's STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here's how the attack works:

"The scheme is extremely simple. After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked," Group-IB explains.

"Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules."

The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they "withdrew cash from ATMs, one by one."

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank's internal network was the home computer of the bank's system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.

Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.

In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.

Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.

Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).

"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.

As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.

However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.

The Blot server then forwards the traffic to an implant operator management gateway called 'Honeycomb.'

In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.

"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says.

"The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."

The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.

The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.

With the rise in cyber-crimes, ethical hacking has become a powerful strategy in the fight against online threats.

In general terms, ethical hackers are authorised to break into supposedly 'secure' computer systems without malicious intent, but with the aim of discovering vulnerabilities to bring about improved protection.

Ethical Hackers are now kind of becoming the alchemists of the 21st century.

More and more organisations are being targeted in cyber-attacks, and they must get to know their enemy if they are to protect vital networks. Meet the professional, ethical hacker.

Despite this, the common belief among many at-risk companies is that 'to outwit a hacker, you need to hire one'.

With so much at stake, even technology providers are turning to those with hacking skills to find the flaws in their products and fix them before the baddies can exploit them.

Infamous Apple Hacker Turned Ethical; Hired by Facebook

23-year-old George 'GeoHot' Hotz gained notoriety in 2007 when he became the first person to 'jailbreak' Apple's iPhone by creating a program that enabled iPhone users to modify their devices to run on other carrier networks, despite AT&T having an exclusive deal with Apple.

Two years later Hotz cracked Sony's PlayStation 3 games console, giving him access to the machine's processor which helped gamers to amend their game consoles and run unapproved applications and pirated games.

However, despite his reputation, social networking giant Facebook hired Hotz and is reported to be engaged in building an anti-hacker defence programme.

Start Your Career in Ethical Hacking

As companies begin to employ ethical hackers, the need for IT specialists with accredited skills is growing, but ethical hackers require support too.

Learning how to hack helps information security professionals implement the most robust possible security practices. It is as much about finding and fixing security vulnerabilities as it is anticipating them.

As you learn more about the methods hackers use to infiltrate systems, you will be able to pre-emptively resolve issues; if you do not understand how black hat hackers could get into your systems, you are going to have a hard time securing them.

Think of it this way: a computer network is like a yard with a fence to keep people out. If you have put something valuable inside the yard, someone may want to hop the fence and steal it.

Ethical hacking is like regularly checking for vulnerabilities in and around the fence, so you can reinforce weak areas before anyone tries to get in.

8 Online Ethical Hacking Training Courses (With Samples)

Here is an excellent opportunity for you to learn to hack through live demonstrations and hands-on experience with the latest tools.

This week we are introducing a new package of 8 online courses: The Zero to Hero Cyber Security Hacker Bundle, which usually costs $360, but you can exclusively get this 8-in-1 online training course for just $29 after 91% discount.

This course forms the basis for anyone who wants to become a real-time penetration tester. You will learn how to research and gather information about a target without leaving any traces, all in an ethical way.

By the end of the course, you will be familiar with how attackers gather their information before launching an attack and know how to mitigate it beforehand.

Get information on Information security needed to operate organisational processes.

In this course, you will learn how employees, business owners, and other computer users tend to have their security compromised, and what you can do to help safeguard yourself and others from digital attacks.

In this course, you will learn how cryptography, steganography, password cracking, game hacking, reverse engineering, and privilege escalation based attacks are performed in a simulated test environment ethically.

This course helps system security professionals mitigate these attacks. It is perfect for anybody who is passionate about developing their skills in the field of internet security.

This online video training course offers 47 lectures, which focuses on the practical side penetration testing using Android without neglecting the theory behind each attack.

This course will help you learn how to turn your Android smartphone into a hacking machine, practically perform various cyber attacks, and at the same time, how you can protect yourself against such attacks.

This course will walk you through basics of pentesting to advanced level using Android platform, including 'Weaponising', 'Information Gathering', 'Spying', and 'Exploitation', which eventually help you gain full control over the target device.

You will also learn to practically launch an attack with a full understanding of the vectors that would allow attacks to be successfully executed, which will help you to detect and sometimes prevent this attack from happening.

Practically, by the end of this course, you will also learn how to root your Android device, which hacking apps are required for penetration testing, how to crack Wi-Fi passwords, how to perform man-in-the-middle attacks to spy on internet connections, how to scan connected devices for vulnerabilities, as well as how to take control over Windows/OSX/Linux devices and many more techniques.

If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax.

Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack.

Now, a Remote Access Trojan (RAT) builder kit that was recently spotted on multiple underground hacking forums for free found containing a backdoored module that aims to provide the kit's authors access to all of the victim's data.

Dubbed Cobian RAT, the malware has been in circulation since February of this year and has some similarities with the njRAT and H-Worm family of malware, which has been around since at least 2013.

According to ThreatLabZ researchers from Zscaler, who discovered the backdoored nature of the malware kit, the "free malware builder" is likely capable of allowing other wannabe hackers to build their own versions of the Cobian RAT with relative ease.

Once the criminals create their own version of malware using this free builder, they can then effectively distribute it via compromised websites or traditional spam campaigns to victims all over the world and is capable of recruiting affected devices into a malicious botnet.

The Cobian RAT then steals data on the compromised system, with the capability to log keystrokes, take screenshots, record audio and webcam video, install and uninstall programs, execute shell commands, use dynamic plug-ins, and manage files.

Cyber Criminals Want to Hack Wannabe Hackers

Now, if you get excited by knowing that all these capabilities offered by the original authors of the malware builder kit are free as they claim, you are mistaken.

Unfortunately, the custom RATs created using this free Cobian RAT malware builder kit has a hidden backdoor module, which silently connects to a Pastebin URL that serves as the kit authors' command-and-control (C&C) infrastructure.

The backdoor, at any time, can be used by the original authors of the kit to issue commands to all RATs built on the top of their platform, eventually putting both wannabe hackers and compromised systems infected by them at risk.

"It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author," Deepen Desai, senior director of security research at Zscaler, wrote in a blog post published Thursday.

"The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet."

The researchers also explain that the original Cobian developer is "relying on second-level operators to build the RAT payload and spread infections."

The original author then can take full control of all the compromised systems across all the Cobian RAT botnets, thanks to the backdoor module. They can even remove the second-level operators by changing the C&C server information configured by them.

A recently observed unique Cobian RAT payload by the researchers reportedly came from a Pakistan-based defence and telecommunication solution website (that was potentially compromised) and served inside a .zip archive masquerading as an MS Excel spreadsheet.

The bottom line: Watch out the free online stuff very carefully before using them.

WikiLeaks has just published another Vault 7 leak, revealing how the CIA spies on their intelligence partners around the world, including FBI, DHS and the NSA, to covertly collect data from their systems.

The CIA offers a biometric collection system—with predefined hardware, operating system, and software—to its intelligence liaison partners around the world that helps them voluntary share collected biometric data on their systems with each other.

But since no agency share all of its collected biometric data with others, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate data collections from their systems.

Dubbed ExpressLane, the newly revealed CIA project details about the spying software that the CIA agents manually installs as part of a routine upgrade to the Biometric system.

The leaked CIA documents reveal that the OTS officers, who maintain biometric collection systems installed at liaison services, visit their premises and secretly install ExpressLane Trojan while displaying an "upgrade Installation screen with a progress bar that appears to be upgrading the biometric software."

"It will overtly appear to be just another part of this system. It’s called: MOBSLangSvc.exe and is stored in \Windows\System32," leaked CIA documents read.

"Covertly it will collect the data files of interest from the liaison system and store them encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system."

ExpressLane includes two components:

Create Partition — This utility allows agents to create a covert partition on the target system where the collected information (in compressed and encrypted form) will be stored.

Exit Ramp — This utility lets the agents steal the collected data stored in the hidden partition using a thumb drive when they revisit.

The latest version ExpressLane 3.1.1 by default removes itself after six months of the installation in an attempt to erase its footprints, though the OTA officers can change this date.

The biometric software system that CIA offers is based on a product from Cross Match, a US company specialized in biometric software for law enforcement and the intelligence community, which was also used to "identify Osama bin Laden during the assassination operation in Pakistan."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed CouchPotato, which revealed the CIA's ability to spy on video streams remotely in real-time.

Since March, WikiLeaks has published 21 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Dumbo — A CIA project that disclosed the CIA's ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.

Imperial — A CIA project that revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OSX and different flavours of Linux OS.

UCL/Raytheon — An alleged CIA contractor, who analysed in-the-wild malware and hacking tools and submitted at least five reports to the spying agency for help it developed its malware.

Brutal Kangaroo – A Microsoft Windows tool suite used by the agents to target closed networks or air-gap PCs within an organisation or enterprise without requiring any direct access.

Cherry Blossom – A CIA framework employed by its agents to monitor the Internet activity of the target systems by exploiting bugs in Wi-Fi devices.

Pandemic – A CIA project that let the spying agency turn Windows file servers into covert attack machines that can silently infect other systems of interest inside the same network.

Athena – A spyware framework that the US secretive agency uses to take full control of the infected Windows machines remotely and works against every version of Windows operating system–from Windows XP to Windows 10.

AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Windows platform that's designed to monitor and report back actions on the infected remote host system and execute malicious actions.

Archimedes – Man-in-the-middle attack tool allegedly developed by the US agency to target systems inside a Local Area Network (LAN).

Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the agents to track insiders and whistleblowers.

Grasshopper – A framework that let the spying agency easily create its custom malware for breaking into Microsoft Windows and bypassing antiviruses.

Marble – Source code of a secret anti-forensic tool used by the US agency to hide the actual source of its malicious payload.

Dark Matter – Hacking exploits the US spying agency designed and used to target iPhones and Macs.

Weeping Angel – A spying tool used by the CIA agents to infiltrate smart TV's and transform them into covert microphones.

An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.

Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bear hacking group.

Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.

The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.

EternalBlue is a security vulnerability which leverages a version of Windows' Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.

Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.

Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.

However, researchers have now found someone deploying the exploit to upgrade their attack.

"To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit," FireEye researchers write. "This is the first time we have seen APT28 incorporate this exploit into their intrusions."

Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.

Here's How the Attack is Carried Out

The attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named "Hotel_Reservation_Form.doc," which uses macros to decode and deploy GameFish, malware known to be used by Fancy Bear.

Once installed on the targeted hotel's network, GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks.

Once under control, the malware deploys Responder, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network.

While the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target "hotel guests of interest"—generally business and government personnel who travel in a foreign country.

The researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel’s Wi-Fi network.

This is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as DarkHotel) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips.

Duqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed.

The easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.

A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in fraudulent payments has been imprisoned for 46 months (nearly four years) in a United States' federal prison.

41-year-old Maxim Senakh, of Velikii Novgorod, was arrested by Finnish police in August 2015 for his role in the development and maintenance of the infamous Linux botnet called Ebury that siphoned millions of dollars from victims worldwide.

Senakh was extradited to the United States in February 2016 to face charges and pleaded guilty in late March this year after admitting of creating a massive Ebury botnet and personally being profited from the scheme.

First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, such as FreeBSD or Solaris, which gives attackers full shell control of an infected machine remotely even if the password for affected user account is changed regularly.

Senakh and his associates used the malware to build an Ebury botnet network of thousands of compromised Linux systems, which had the capacity of sending over 35 million spam messages and redirecting more than 500,000 online visitors to exploit kits every day.

"Working within a massive criminal enterprise, Maxim Senakh helped create a sophisticated infrastructure that victimized thousands of Internet users across the world," said Acting U.S. Attorney Brooker.

"As society becomes more reliant on computers, cyber criminals like Senakh pose a serious threat. This Office, along with our law enforcement partners, is committed to detecting and prosecuting cyber criminals no matter where they reside."

Ebury first came into headlines in 2011 after Donald Ryan Austin, 27, of El Portal, Florida, installed the Trojan on multiple servers owned by kernel.org and the Linux Foundation, which maintain and distribute the Linux operating system kernel.

Austin, with no connection to the Ebury criminal gang, was arrested in September last year and was charged with 4 counts of intentional transmission causing damage to a protected computer.

Senakh was facing up to a combined 30 years in prison, after pleading guilty to conspiracy to commit wire fraud as well as violate the Computer Fraud and Abuse Act.

However, a US judge on Thursday sentenced Senakh to 46 months in prison, the Department of Justice announced on Thursday. The case was investigated by the Federal Bureau of Investigation's field office in Minneapolis.

Senakh will be deported back to Russia following his release from the U.S. prison.

NanoCore RAT happens to be popular among hackers and has been linked to instructions in at least 10 countries, among them was a high-profile assault on Middle Eastern energy firms in 2015.

NanoCore RAT, a $25 piece of remote access software, allows attackers to steal sensitive information from victim computers, such as passwords, emails, and instant messages. The RAT could even secretly activate the webcam on the victims' computers in order to spy on them.

Huddleston began developing NanoCore in late 2012, not with any malicious purpose, but with a motive to offer a low-budget remote management software for schools, IT-conscious businesses, and parents who desired to monitor their children's activities on the web.

However, according to the plea agreement, Huddleston created, marketed, and distributed two products — NanoCore RAT and Net Seal — in underground hacking forums that were extremely popular with cyber criminals around the world.

The programmer also took responsibility for creating and operating a software licensing system called "Net Seal" that was used by another suspect, Zachary Shames, to sell thousands of copies of Limitless keylogger.

"Huddleston used Net Seal to assist Zachary Shames in the distribution of malware to 3,000 people that was, in turn, used it to infect 16,000 computers," the DoJ statement reads.

In his guilty plea, Huddleston has admitted that he intended his products to be used maliciously.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return 8 weeks later with handcuffs.

Huddleston is now facing a maximum penalty of 10 years in prison and is scheduled to be sentenced on December 8.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Hackers and cyber criminals are becoming dramatically more adept, innovative, and stealthy with each passing day.

While other operating systems are more widely in use, cybercriminals have now shifted from traditional activities to more clandestine techniques that come with limitless attack vectors, support for cross platforms and low detection rates.

Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to "target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries."

Adwind — also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat — has been in development since 2013 and is capable of infecting all the major operating systems, including Windows, Mac, Linux, and Android.

Adwind has several malicious capabilities including stealing credentials, keylogging, taking pictures or screenshots, data gathering and exfiltrate data. The trojan can even turn infected machines into botnets to abuse them for destructing online services by carrying out DDoS attacks.

Researchers from Trend Micro recently noticed a sudden rise in the number of Adwind infections during June 2017 — at least 117,649 instances in the wild, which is 107 percent more than the previous month.

According to a blog post published today, the malicious campaign was noticed on two different occasions.

First was observed on June 7 and used a link to divert victims to their .NET-written malware equipped with spyware capabilities, while the second wave was noticed on June 14 and used different domains hosting their malware and command-and-control servers.

Both waves eventually employed a similar social engineering tactic to trick victims into clicking the malicious links within a spam email that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.

Once infected, the malware also collects system's fingerprints, along with the list of installed antivirus and firewall applications.

"It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions," the researchers wrote.

My advice for users to remain protected from such malware is always to be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Additionally, keep your systems and antivirus products up-to-date in order to protect against any latest threat.

The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation.

The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on "DeltaCharlie," a malware variant used by "Hidden Cobra" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network.

According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure.

While the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace – the one allegedly linked to the devastating WannaCry ransomware menace that shut down hospitals and businesses worldwide.

DeltaCharlie – DDoS Botnet Malware

The agencies identified IP addresses with "high confidence" associated with "DeltaCharlie" – a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

DeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks.

The botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks.

However, the DeltaCharlie DDoS malware is not new.

DeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [PDF], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo.

The simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall.

Since Adobe Flash Player is prone to many attacks and just today the company patched nine vulnerability in Player, you are advised to update or remove it completely from your computer.

The FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group.

"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation," the alert reads.

Besides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow here.

Brace yourselves for a possible 'second wave' of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers dump last month.

Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to patch other three NSA hacking tools, dubbed "EnglishmanDentist," "EsteemAudit," and "ExplodingCan."

It has been almost two weeks since WannaCry ransomware began to spread, which infected nearly 300,000 computers in more than 150 countries within just 72 hours, though now it has been slowed down.

For those unaware, WannaCry exploited a Windows zero-day SMB bug that allowed remote hackers to hijack PCs running on unpatched Windows OS and then spread itself to other unpatched systems using its wormable capability.

EsteemAudit: Over 24,000 PCs Still Vulnerable

Since Microsoft no longer support Windows Server 2003 and Windows XP and unlike EternalBlue the company has not released any emergency patch for EsteemAudit exploit so far, over 24,000 vulnerable systems remains still exposed on the Internet for anyone to hack.

"Even one infected machine opens your enterprise to greater exploitation," say Omri Misgav and Tal Liberman, security researchers at Ensilo cyber security firm who came up with the AtomBombing attack last year and now has released an unofficial patch for EsteemAudit, which we have introduced later in this article.

EsteemAudit can also be used as a wormable malware, similar to the WannaCry ransomware, which allows hackers to propagate in the enterprise networks, leaving thousands of systems vulnerable to ransomware, espionage and other malicious attacks.

Ransomware authors, such as criminals behind CrySiS, Dharma, and SamSam, who are already infecting computers via RDP protocol using brute force attacks, can leverage EsteemAudit anytime for widespread and damaging attacks like WannaCry.

How to Secure Your Computers?

Due to the havoc caused by WannaCry, SMB service gained all the attention, neglecting RDP.

"Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today, and the cyber security industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of the global market share," researchers say.

Since Microsoft has not released any patch for this vulnerability, users and enterprises are advised to upgrade their systems to the higher versions to secure themselves from EsteenAudit attacks.

"Of the three remaining exploits, “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan,” none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft says.

If it's hard for your enterprise to upgrade their systems immediately, it's good for them to secure their RDP port by either disabling it or putting it behind the firewall.

Meanwhile, enSilo has released a patch to help Windows XP and Server 2003 users secure their machines against EsteemAudit. You can apply the patch to secure your systems, but keep in mind, that it is not an official patch from Microsoft.

If you have any doubt on the patch, enSilo is a reputed cyber security company, though I expect Microsoft to release an official patch before any outcry like that of WannaCry.

Earlier today, a massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.

The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY').

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it.

Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.

In separate news, researchers have also discovered a massive malicious email campaign that's spreading the Jaff ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

Ransomware Using NSA's Exploit to Spread Rapidly

What's interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks.

The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says.

Infections from All Around the World

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing, according to Kaspersky Labs.

According to a report, the ransomware attack has shut down work at 16 hospitals across the UK after doctors got blocked from accessing patient files. Another report says, 85% of computers at the Spanish telecom firm, Telefonica, has get infected with this malware.

Another independent security researcher, MalwareTech, reported that a large number of U.S. organizations (at least 1,600) have been hit by WannaCry, compared to 11,200 in Russia and 6,500 in China.

Screenshots of the WannaCry ransomware with different languages, including English, Spanish, Italian, were also shared online by various users and experts on Twitter.

Bitcoin wallets seemingly associated with WannaCry were reportedly started filling up with cash.

The Spanish computer emergency response organization (CCN-CERT) has even issued an alert that warns users of the "massive attack of ransomware" from WannaCry, saying (translated version):

"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network."

"Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.," according to BBC.

How to Protect Yourself from WannaCry

First of all, if you haven't patched your Windows machines and servers against EternalBlue exploit (MS17-010), do it right now.

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

A team of researchers from the University of Michigan discovered that hundreds of applications in Google Play Store have a security hole that could potentially allow hackers to steal data from and even implant malware on millions of Android smartphones.

The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.

So, this issue has nothing to do with your device's operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.

The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.

Here I need you to stop and first let's understand exactly what ports do and what are the related threats.

Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.

Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.

In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.

Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.

This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications."

According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.

But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone's owner, but also malicious actors.

However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.

On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.

To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.

"They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer," the researchers say.

"The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port."

No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.

Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.

However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.

To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:

1. Using an app's open ports to steal photos with on-device malware

2. Stealing photos via a network attack

3. Forcing the device to send an SMS to a premium service

The team says these vulnerabilities can be exploited to cause highly-severe damage to users like remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.

The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.